docs-bot
@@ -18,8 +18,8 @@ permissions:
|
||||
pull-requests: write
|
||||
|
||||
jobs:
|
||||
close-on-adding-invalid-label:
|
||||
if: github.repository == 'github/docs' && github.event.label.name == 'invalid'
|
||||
close-if-invalid:
|
||||
if: github.repository == 'github/docs' && (github.event.label.name == 'invalid' || github.event.pull_request.title == 'Revert "Repo sync"')
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
|
||||
16
.github/workflows/codespace-review-check.yml
vendored
16
.github/workflows/codespace-review-check.yml
vendored
@@ -32,17 +32,19 @@ jobs:
|
||||
LOGIN: docs-bot
|
||||
REPO: github/docs-internal
|
||||
run: |
|
||||
ago=$(date -d '225 minutes ago' -Iseconds)
|
||||
# If its approaching 4 hours, update the comment
|
||||
# But don't keep trying to update the comment after 5 hours cause that wastes API calls
|
||||
from=$(date -d '285 minutes ago' -Iseconds) # 5 * 60 - 15 = 285
|
||||
until=$(date -d '225 minutes ago' -Iseconds) # 4 * 60 - 15 = 225
|
||||
echo "- Ago: $ago"
|
||||
# on mac: date -v-225M -Iseconds
|
||||
# -v-225M means 225 minutes ago, 4 * 60 - 15 = 225
|
||||
# -Iseconds means ISO 8601 format, to seconds
|
||||
branches=$(
|
||||
gh codespace list \
|
||||
--repo "$REPO" \
|
||||
--limit 1000 \
|
||||
--json name,owner,lastUsedAt,gitStatus \
|
||||
--jq ".[] | select(.owner == \"$LOGIN\" and .lastUsedAt < \"$ago\") | .gitStatus.ref" \
|
||||
--jq ".[] | select(.owner == \"$LOGIN\" and .lastUsedAt < \"$until\" and .lastUsedAt > \"$from\") | .gitStatus.ref" \
|
||||
)
|
||||
echo "- Branches:"
|
||||
echo "$(echo "$branches" | sed 's/^/ /')"
|
||||
@@ -111,14 +113,14 @@ jobs:
|
||||
|
||||
### Review this PR in a codespace 📦
|
||||
|
||||
Your codespace is no longer active.
|
||||
The codespace is no longer active.
|
||||
You’ve reached the 4 hour limit.
|
||||
In order to reactivate your codespace, please update your pull request by adding the https://github.com/${{ env.REPO }}/labels/extend-codespace label.
|
||||
If the label is already applied, you can remove and reapply the label to reactivate your codespace.
|
||||
In order to reactivate the codespace, please update the pull request by adding the https://github.com/${{ env.REPO }}/labels/extend-codespace label.
|
||||
If the label is already applied, you can remove and reapply the label to reactivate the codespace.
|
||||
|
||||
🤖 This comment is [automatically generated][workflow].
|
||||
|
||||
[workflow]: ${{ github.server_url }}/${{ github.repository }}/blob/${{ github.sha }}/.github/workflows/codespace-review-check.yml
|
||||
[workflow]: ${{ github.server_url }}/${{ github.repository }}/blob/${{ github.workflow_sha }}/.github/workflows/codespace-review-check.yml
|
||||
|
||||
- uses: ./.github/actions/slack-alert
|
||||
if: ${{ failure() && github.event_name != 'workflow_dispatch' }}
|
||||
|
||||
4
.github/workflows/codespace-review-down.yml
vendored
4
.github/workflows/codespace-review-down.yml
vendored
@@ -77,8 +77,8 @@ jobs:
|
||||
|
||||
### Review this PR in a codespace 📦
|
||||
|
||||
Your pull request is now merged or closed, so I've removed all automatically created codespaces.
|
||||
The pull request is now merged or closed, so I've removed all automatically created codespaces.
|
||||
|
||||
🤖 This comment is [automatically generated][workflow].
|
||||
|
||||
[workflow]: ${{ github.server_url }}/${{ github.repository }}/blob/${{ github.sha }}/.github/workflows/codespace-review-down.yml
|
||||
[workflow]: ${{ github.server_url }}/${{ github.repository }}/blob/${{ github.workflow_sha }}/.github/workflows/codespace-review-down.yml
|
||||
|
||||
16
.github/workflows/codespace-review-up.yml
vendored
16
.github/workflows/codespace-review-up.yml
vendored
@@ -107,7 +107,7 @@ jobs:
|
||||
gh pr comment \
|
||||
"$branch" \
|
||||
--repo "$REPO" \
|
||||
--body "Thank you for your pull request. I deleted the oldest codespaces to make room for a new one. You can make a new codespace by updating your pull request or closing and reopening your pull request."
|
||||
--body "Thank you for this pull request. I deleted the oldest codespaces to make room for a new one. You can make a new codespace by updating the pull request or closing and reopening the pull request."
|
||||
echo "Commented on branch $branch"
|
||||
done
|
||||
echo "Deleted the oldest $tocut codespaces"
|
||||
@@ -205,18 +205,18 @@ jobs:
|
||||
|
||||
### Review this PR in a codespace 📦
|
||||
|
||||
Your codespace will be ready in two to three minutes and you can review changes at:
|
||||
The codespace will be ready in two to three minutes and you can review changes at:
|
||||
${{ env.APP_URL }}
|
||||
Your codespace will be automatically deleted once your pull request is closed or merged.
|
||||
The codespace will be automatically deleted once the pull request is closed or merged.
|
||||
|
||||
#### Your codespace will idle after 4 hours of inactivity
|
||||
#### The codespace will idle after 4 hours of inactivity
|
||||
|
||||
After 4 hours, you can reactivate your codespace by applying the https://github.com/${{ env.REPO }}/labels/extend-codespace label to the pull request.
|
||||
If the label is already applied, you can remove and reapply the label to reactivate your codespace.
|
||||
After 4 hours, you can reactivate the codespace by applying the https://github.com/${{ env.REPO }}/labels/extend-codespace label to the pull request.
|
||||
If the label is already applied, you can remove and reapply the label to reactivate the codespace.
|
||||
|
||||
<details><summary>Table of review links</summary>
|
||||
|
||||
${{ steps.changes.outputs.changesTable && 'The table shows the files in the `content` directory that were changed in this pull request. This helps you review your changes on the review server. Changes to the `data` directory are not included in this table.' || '' }}
|
||||
${{ steps.changes.outputs.changesTable && 'The table shows the files in the `content` directory that were changed in this pull request. Changes to the `data` directory are not included in this table.' || '' }}
|
||||
|
||||
${{ steps.changes.outputs.changesTable || '_This pull request contains code changes, so we will not generate a table of review links._' }}
|
||||
|
||||
@@ -226,4 +226,4 @@ jobs:
|
||||
|
||||
🤖 This comment is [automatically generated][workflow].
|
||||
|
||||
[workflow]: ${{ github.server_url }}/${{ github.repository }}/blob/${{ github.sha }}/.github/workflows/codespace-review-up.yml
|
||||
[workflow]: ${{ github.server_url }}/${{ github.repository }}/blob/${{ github.workflow_sha }}/.github/workflows/codespace-review-up.yml
|
||||
|
||||
2
.github/workflows/review-comment.yml
vendored
2
.github/workflows/review-comment.yml
vendored
@@ -100,6 +100,6 @@ jobs:
|
||||
|
||||
🤖 This comment is [automatically generated][workflow].
|
||||
|
||||
[workflow]: ${{ github.server_url }}/${{ github.repository }}/blob/${{ github.sha }}/.github/workflows/review-comment.yml
|
||||
[workflow]: ${{ github.server_url }}/${{ github.repository }}/blob/${{ github.workflow_sha }}/.github/workflows/review-comment.yml
|
||||
[codespace]: ${{ github.repository == 'github/docs-internal' && 'https://github.com/github/docs-team/blob/main/contributing-to-docs/use-a-codespace-to-review.md' || 'https://docs.github.com/en/contributing/setting-up-your-environment-to-work-on-github-docs/working-on-github-docs-in-a-codespace' }}
|
||||
[local]: https://docs.github.com/en/contributing/setting-up-your-environment-to-work-on-github-docs/creating-a-local-environment#setting-up-your-local-environment
|
||||
|
||||
@@ -126,7 +126,7 @@ Once custom deployment protection rules have been created and installed on a rep
|
||||
|
||||
## Environment secrets
|
||||
|
||||
Secrets stored in an environment are only available to workflow jobs that reference the environment. If the environment requires approval, a job cannot access environment secrets until one of the required reviewers approves it. For more information about secrets, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions).
|
||||
Secrets stored in an environment are only available to workflow jobs that reference the environment. If the environment requires approval, a job cannot access environment secrets until one of the required reviewers approves it. For more information about secrets, see [AUTOTITLE](/actions/security-for-github-actions/security-guides/about-secrets).
|
||||
|
||||
{% ifversion fpt %}
|
||||
> [!NOTE]
|
||||
|
||||
@@ -264,7 +264,7 @@ For more information, see [AUTOTITLE](/actions/using-workflows/events-that-trigg
|
||||
|
||||
GitLab CI/CD and {% data variables.product.prodname_actions %} support setting variables in the pipeline or workflow configuration file, and creating secrets using the GitLab or {% data variables.product.github %} UI.
|
||||
|
||||
For more information, see [AUTOTITLE](/actions/learn-github-actions/variables) and [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions).
|
||||
For more information, see [AUTOTITLE](/actions/learn-github-actions/variables) and [AUTOTITLE](/actions/security-for-github-actions/security-guides/about-secrets).
|
||||
|
||||
## Caching
|
||||
|
||||
|
||||
@@ -163,7 +163,7 @@ When migrating from Travis CI, consider the following key features in {% data va
|
||||
|
||||
### Storing secrets
|
||||
|
||||
{% data variables.product.prodname_actions %} allows you to store secrets and reference them in your jobs. {% data variables.product.prodname_actions %} organizations can limit which repositories can access organization secrets. Deployment protection rules can require manual approval for a workflow to access environment secrets. For more information, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions).
|
||||
{% data variables.product.prodname_actions %} allows you to store secrets and reference them in your jobs. {% data variables.product.prodname_actions %} organizations can limit which repositories can access organization secrets. Deployment protection rules can require manual approval for a workflow to access environment secrets. For more information, see [AUTOTITLE](/actions/security-for-github-actions/security-guides/about-secrets).
|
||||
|
||||
### Sharing files between jobs and workflows
|
||||
|
||||
|
||||
@@ -0,0 +1,52 @@
|
||||
---
|
||||
title: About secrets
|
||||
intro: 'Learn about secrets as they''re used in GitHub Actions.'
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghes: '*'
|
||||
ghec: '*'
|
||||
---
|
||||
|
||||
{% data reusables.actions.enterprise-github-hosted-runners %}
|
||||
|
||||
## About secrets
|
||||
|
||||
Secrets allow you to store sensitive information in your organization, repository, or repository environments. Secrets are variables that you create to use in {% data variables.product.prodname_actions %} workflows in an organization, repository, or repository environment.
|
||||
|
||||
{% data variables.product.prodname_actions %} can only read a secret if you explicitly include the secret in a workflow.
|
||||
|
||||
## Naming your secrets
|
||||
|
||||
>[!TIP]
|
||||
> To help ensure that {% data variables.product.prodname_dotcom %} redacts your secrets in logs correctly, avoid using structured data as the values of secrets.
|
||||
|
||||
The following rules apply to secret names:
|
||||
|
||||
{% data reusables.actions.actions-secrets-and-variables-naming %}
|
||||
|
||||
{% data reusables.codespaces.secret-precedence %} Similarly, if an organization, repository, and environment all have a secret with the same name, the environment-level secret takes precedence.
|
||||
|
||||
## Using your secrets in workflows
|
||||
|
||||
{% data reusables.actions.secrets-redaction-warning %}
|
||||
|
||||
{% data reusables.actions.secrets-org-level-overview %}
|
||||
|
||||
For environment secrets, you can enable required reviewers to control access to the secrets. A workflow job cannot access environment secrets until approval is granted by required approvers.
|
||||
|
||||
To make a secret available to an action, you must set the secret as an input or environment variable in your workflow file. Review the action's README file to learn about which inputs and environment variables the action expects. See [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsenv).
|
||||
|
||||
Organization and repository secrets are read when a workflow run is queued, and environment secrets are read when a job referencing the environment starts.
|
||||
|
||||
## Limiting credential permissions
|
||||
|
||||
When generating credentials, we recommend that you grant the minimum permissions possible. For example, instead of using personal credentials, use [deploy keys](/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys) or a service account. Consider granting read-only permissions if that's all that is needed, and limit access as much as possible.
|
||||
|
||||
When generating a {% data variables.product.pat_v1 %}, select the fewest scopes necessary. When generating a {% data variables.product.pat_v2 %}, select the minimum permissions and repository access required.
|
||||
|
||||
Instead of using a {% data variables.product.pat_generic %}, consider using a {% data variables.product.prodname_github_app %}, which uses fine-grained permissions and short lived tokens, similar to a {% data variables.product.pat_v2 %}. Unlike a {% data variables.product.pat_generic %}, a {% data variables.product.prodname_github_app %} is not tied to a user, so the workflow will continue to work even if the user who installed the app leaves your organization. For more information, see [AUTOTITLE](/apps/creating-github-apps/guides/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow).
|
||||
|
||||
## Further reading
|
||||
|
||||
* [AUTOTITLE](/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions)
|
||||
* [AUTOTITLE](/rest/actions/secrets)
|
||||
@@ -8,6 +8,7 @@ versions:
|
||||
ghec: '*'
|
||||
children:
|
||||
- /security-hardening-for-github-actions
|
||||
- /about-secrets
|
||||
- /using-secrets-in-github-actions
|
||||
- /automatic-token-authentication
|
||||
- /using-githubs-security-features-to-secure-your-use-of-github-actions
|
||||
|
||||
@@ -80,7 +80,7 @@ For information on how to configure {% data variables.product.prodname_dependabo
|
||||
|
||||
## Protecting actions you've created
|
||||
|
||||
{% data variables.product.prodname_dotcom %} enables collaboration between people who publish and maintain actions and vulnerability reporters in order to promote code security. {% data reusables.security-advisory.security-advisory-overview %}
|
||||
{% data variables.product.prodname_dotcom %} enables collaboration between people who publish and maintain actions and vulnerability reporters in order to promote secure coding. {% data reusables.security-advisory.security-advisory-overview %}
|
||||
|
||||
If you are someone who maintains an action that is used in other projects, you can use the following {% data variables.product.prodname_dotcom %} features to enhance the security of the actions you've published.
|
||||
|
||||
|
||||
@@ -19,51 +19,7 @@ versions:
|
||||
|
||||
{% data reusables.actions.enterprise-github-hosted-runners %}
|
||||
|
||||
## About secrets
|
||||
|
||||
Secrets are variables that you create in an organization, repository, or repository environment. The secrets that you create are available to use in {% data variables.product.prodname_actions %} workflows. {% data variables.product.prodname_actions %} can only read a secret if you explicitly include the secret in a workflow.
|
||||
|
||||
{% data reusables.actions.secrets-org-level-overview %}
|
||||
|
||||
For secrets stored at the environment level, you can enable required reviewers to control access to the secrets. A workflow job cannot access environment secrets until approval is granted by required approvers.
|
||||
|
||||
> [!NOTE]
|
||||
> {% data reusables.actions.about-oidc-short-overview %}
|
||||
|
||||
### Naming your secrets
|
||||
|
||||
The following rules apply to secret names:
|
||||
|
||||
{% data reusables.actions.actions-secrets-and-variables-naming %}
|
||||
|
||||
For example, a secret created at the environment level must have a unique name in that environment, a secret created at the repository level must have a unique name in that repository, and a secret created at the organization level must have a unique name at that level.
|
||||
|
||||
{% data reusables.codespaces.secret-precedence %} Similarly, if an organization, repository, and environment all have a secret with the same name, the environment-level secret takes precedence.
|
||||
|
||||
To help ensure that {% data variables.product.prodname_dotcom %} redacts your secrets in logs correctly, avoid using structured data as the values of secrets. For example, avoid creating secrets that contain JSON or encoded Git blobs. Using structured data as secrets could cause non-secrets to be detected as such, making passing data between workflows harder to implement. In such cases, consider manipulating the structured data, for example encoding them to a string, before storing them as secrets, and decoding them before they are used.
|
||||
|
||||
### Accessing your secrets
|
||||
|
||||
To make a secret available to an action, you must set the secret as an input or environment variable in the workflow file. Review the action's README file to learn about which inputs and environment variables the action expects. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsenv).
|
||||
|
||||
You can use and read secrets in a workflow file if you have access to edit the file. For more information, see [AUTOTITLE](/get-started/learning-about-github/access-permissions-on-github).
|
||||
|
||||
{% data reusables.actions.secrets-redaction-warning %}
|
||||
|
||||
Organization and repository secrets are read when a workflow run is queued, and environment secrets are read when a job referencing the environment starts.
|
||||
|
||||
You can also manage secrets using the REST API. For more information, see [AUTOTITLE](/rest/actions/secrets).
|
||||
|
||||
### Limiting credential permissions
|
||||
|
||||
When generating credentials, we recommend that you grant the minimum permissions possible. For example, instead of using personal credentials, use [deploy keys](/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys) or a service account. Consider granting read-only permissions if that's all that is needed, and limit access as much as possible.
|
||||
|
||||
When generating a {% data variables.product.pat_v1 %}, select the fewest scopes necessary. When generating a {% data variables.product.pat_v2 %}, select the minimum permissions and repository access required.
|
||||
|
||||
Instead of using a {% data variables.product.pat_generic %}, consider using a {% data variables.product.prodname_github_app %}, which uses fine-grained permissions and short lived tokens, similar to a {% data variables.product.pat_v2 %}. Unlike a {% data variables.product.pat_generic %}, a {% data variables.product.prodname_github_app %} is not tied to a user, so the workflow will continue to work even if the user who installed the app leaves your organization. For more information, see [AUTOTITLE](/apps/creating-github-apps/guides/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow).
|
||||
|
||||
> [!NOTE]
|
||||
> Users with collaborator access to a repository can use the REST API to manage secrets for that repository, and users with admin access to an organization can use the REST API to manage secrets for that organization. For more information, see [AUTOTITLE](/rest/actions/secrets).
|
||||
For general information about secrets, see [AUTOTITLE](/actions/security-for-github-actions/security-guides/about-secrets).
|
||||
|
||||
## Creating secrets for a repository
|
||||
|
||||
@@ -212,6 +168,7 @@ You can check which access policies are being applied to a secret in your organi
|
||||
> [!NOTE]
|
||||
> * {% data reusables.actions.forked-secrets %}
|
||||
> * Secrets are not automatically passed to reusable workflows. For more information, see [AUTOTITLE](/actions/using-workflows/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow).
|
||||
> {% data reusables.actions.about-oidc-short-overview %}
|
||||
|
||||
To provide an action with a secret as an input or environment variable, you can use the `secrets` context to access secrets you've created in your repository. For more information, see [AUTOTITLE](/actions/learn-github-actions/contexts) and [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions).
|
||||
|
||||
|
||||
@@ -30,7 +30,7 @@ You can set a custom variable in two ways.
|
||||
* To define a configuration variable across multiple workflows, you can define it at the organization, repository, or environment level. For more information, see [Defining configuration variables for multiple workflows](#defining-configuration-variables-for-multiple-workflows).
|
||||
|
||||
> [!WARNING]
|
||||
> By default, variables render unmasked in your build outputs. If you need greater security for sensitive information, such as passwords, use secrets instead. For more information, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions).
|
||||
> By default, variables render unmasked in your build outputs. If you need greater security for sensitive information, such as passwords, use secrets instead. For more information, see [AUTOTITLE](/actions/security-for-github-actions/security-guides/about-secrets).
|
||||
|
||||
## Defining environment variables for a single workflow
|
||||
|
||||
|
||||
@@ -1,7 +1,8 @@
|
||||
---
|
||||
title: Enforcing policies for code security and analysis for your enterprise
|
||||
intro: 'You can enforce policies to manage the use of code security and analysis features within your enterprise''s organizations.'
|
||||
permissions: 'Enterprise owners can define and enforce policies to control use of code security and analysis features in an enterprise.'
|
||||
title: Enforcing policies for security features in your enterprise
|
||||
intro: 'You can enforce policies to manage the use of security features for codebases within your enterprise''s organizations.'
|
||||
allowTitleToDifferFromFilename: true
|
||||
permissions: 'Enterprise owners'
|
||||
product: '{% data reusables.gated-features.ghas %}'
|
||||
versions:
|
||||
ghec: '*'
|
||||
@@ -26,12 +27,12 @@ redirect_from:
|
||||
- /github/setting-up-and-managing-your-enterprise/enforcing-a-policy-on-dependency-insights-in-your-enterprise-account
|
||||
- /github/setting-up-and-managing-your-enterprise/setting-policies-for-organizations-in-your-enterprise-account/enforcing-a-policy-on-dependency-insights-in-your-enterprise-account
|
||||
- /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise
|
||||
shortTitle: Code security & analysis
|
||||
shortTitle: Security & analysis
|
||||
---
|
||||
|
||||
## About policies for code security and analysis in your enterprise
|
||||
## About policies for using security features in your enterprise
|
||||
|
||||
You can enforce policies to manage the use of code security and analysis features within organizations owned by your enterprise. You can allow or disallow people with admin access to a repository to enable or disable the security and analysis features.
|
||||
You can enforce policies to manage the use of security features within organizations owned by your enterprise. You can allow or disallow people with admin access to a repository to enable or disable the security and analysis features.
|
||||
|
||||
Additionally, you can enforce policies for the use of {% data variables.product.prodname_GHAS %}{% ifversion ghas-products %} products{% endif %} in your enterprise's organizations and repositories.
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Managing code security for your enterprise
|
||||
title: Managing a secure coding environment for your enterprise
|
||||
allowTitleToDifferFromFilename: true
|
||||
shortTitle: Code security
|
||||
shortTitle: Secure coding
|
||||
intro: 'You can build security into your developers'' workflow with features that keep secrets and vulnerabilities out of your codebase, and that maintain your software supply chain.'
|
||||
versions:
|
||||
ghec: '*'
|
||||
|
||||
@@ -92,7 +92,7 @@ For other billing-related questions, contact {% data variables.contact.github_su
|
||||
|
||||
{% elsif ghes %}
|
||||
|
||||
You can make extra features for code security available to users by buying and uploading a license for {% data variables.product.prodname_GH_advanced_security %}. For more information about {% data variables.product.prodname_GH_advanced_security %}, see [AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security).
|
||||
You can make extra features available to users by buying and uploading a license for {% data variables.product.prodname_GH_advanced_security %}. For more information about {% data variables.product.prodname_GH_advanced_security %}, see [AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security).
|
||||
|
||||
{% data reusables.advanced-security.ghas-products-tip %}
|
||||
|
||||
|
||||
@@ -64,7 +64,7 @@ You can use default setup for all {% data variables.product.prodname_codeql %}-s
|
||||
|
||||
### Customizing default setup
|
||||
|
||||
We recommend that you start using {% data variables.product.prodname_code_scanning %} with default setup. After you've initially configured default setup, you can evaluate {% data variables.product.prodname_code_scanning %} to see how it's working for you. If you find that something isn't working as you expect, you can customize default setup to better meet your code security needs. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/evaluating-default-setup-for-code-scanning).
|
||||
We recommend that you start using {% data variables.product.prodname_code_scanning %} with default setup. After you've initially configured default setup, you can evaluate {% data variables.product.prodname_code_scanning %} to see how it's working for you. If you find that something isn't working as you expect, you can customize default setup to better meet your needs. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/evaluating-default-setup-for-code-scanning).
|
||||
|
||||
### About adding non-compiled and compiled languages to your default setup
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Evaluating default setup for code scanning
|
||||
shortTitle: Evaluate code scanning
|
||||
intro: 'Learn how to assess how code scanning is working for you, and how you can customize your setup to best meet your code security needs.'
|
||||
intro: 'Learn how to assess how code scanning is working for you, and how you can customize your setup to best meet your needs.'
|
||||
permissions: '{% data reusables.permissions.security-repo-enable %}'
|
||||
type: how_to
|
||||
topics:
|
||||
|
||||
@@ -69,7 +69,7 @@ If you want to see the code that triggered the security alert and the suggested
|
||||
|
||||
If you have access to {% data variables.product.prodname_copilot_chat_short %} then you can ask the AI questions about the vulnerability, the suggested fix, and how to test that the fix is comprehensive.
|
||||
|
||||
To get the most out of {% data variables.product.prodname_copilot_chat_short %} when you're working on code security, you should explicitly ask {% data variables.product.prodname_copilot_chat_short %} to use the {% data variables.product.prodname_GH_advanced_security %} skill to answer your questions.
|
||||
To get the most out of {% data variables.product.prodname_copilot_chat_short %} when you're working with alerts, you should explicitly ask {% data variables.product.prodname_copilot_chat_short %} to use the {% data variables.product.prodname_GH_advanced_security %} skill to answer your questions.
|
||||
|
||||
For example: "Use the {% data variables.product.prodname_GH_advanced_security %} skill to explain how this alert introduces a vulnerability into the code."
|
||||
|
||||
|
||||
@@ -30,7 +30,7 @@ In an organization's security overview dashboard, you can view the total number
|
||||
|
||||
## Developer experience
|
||||
|
||||
{% data variables.product.prodname_code_scanning_caps %} users can already see security alerts to analyze their pull requests. However, developers often have little training in code security so fixing these alerts requires substantial effort. They must first read and understand the alert location and description, and then use that understanding to edit the source code to fix the vulnerability.
|
||||
{% data variables.product.prodname_code_scanning_caps %} users can already see security alerts to analyze their pull requests. However, developers often have little training in secure coding so fixing these alerts requires substantial effort. They must first read and understand the alert location and description, and then use that understanding to edit the source code to fix the vulnerability.
|
||||
|
||||
{% data variables.product.prodname_copilot_autofix_short %} lowers the barrier of entry to developers by combining information on best practices with details of the codebase and alert to suggest a potential fix to the developer. Instead of starting with a search for information about the vulnerability, the developer starts with a code suggestion that demonstrates a potential solution for their codebase. The developer evaluates the potential fix to determine whether it is the best solution for their codebase and to ensure that it maintains the intended behavior.
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Editing your configuration of default setup
|
||||
shortTitle: Edit default setup
|
||||
intro: 'You can edit your existing configuration of default setup for {% data variables.product.prodname_code_scanning %} to better meet your code security needs.'
|
||||
intro: 'You can edit your existing configuration of default setup for {% data variables.product.prodname_code_scanning %} to better meet your needs.'
|
||||
permissions: '{% data reusables.permissions.security-org-enable %}'
|
||||
versions:
|
||||
fpt: '*'
|
||||
@@ -15,7 +15,7 @@ topics:
|
||||
|
||||
## About editing your configuration of default setup
|
||||
|
||||
After running an initial analysis of your code with default setup, you may need to make changes to your configuration to better meet your code security needs. For existing configurations of default setup, you can edit:
|
||||
After running an initial analysis of your code with default setup, you may need to make changes to your configuration to better meet your needs. For existing configurations of default setup, you can edit:
|
||||
* Which languages default setup will analyze.
|
||||
* The query suite run during analysis. For more information on the available query suites, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites).{% ifversion codeql-threat-models %}
|
||||
* The threat models ({% data variables.release-phases.public_preview %}) to use for analysis. Your choice of threat model determines which sources of tainted data are treated as a risk to your application. During the {% data variables.release-phases.public_preview %}, threat models are supported only for analysis of {% data variables.code-scanning.code_scanning_threat_model_support %}. For more information about threat models, see [Including local sources of tainted data in default setup](#including-local-sources-of-tainted-data-in-default-setup).
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
---
|
||||
title: Getting started with code security
|
||||
title: Getting started with secure coding
|
||||
shortTitle: Getting started
|
||||
allowTitleToDifferFromFilename: true
|
||||
intro: 'Introduction to code security with {% data variables.product.github %}.'
|
||||
intro: 'Introduction to secure coding with {% data variables.product.github %}.'
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghes: '*'
|
||||
|
||||
@@ -13,7 +13,7 @@ topics:
|
||||
|
||||
## About securing your organization
|
||||
|
||||
{% data variables.product.company_short %} offers many code security products and features including {% data variables.product.prodname_GH_advanced_security %}, a suite of features designed to protect your organization from vulnerabilities in your code, insecure dependencies, leaked secrets, and more. For more information on {% data variables.product.prodname_GH_advanced_security %}, see [AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security).
|
||||
{% data variables.product.company_short %} offers many security features including {% data variables.product.prodname_GH_advanced_security %}, a suite of features designed to protect your organization from vulnerabilities in your code, insecure dependencies, leaked secrets, and more. For more information on {% data variables.product.prodname_GH_advanced_security %}, see [AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security).
|
||||
|
||||
You can easily enable and manage {% data variables.product.company_short %}'s security features throughout your organization with {% data variables.product.prodname_security_configurations %}, which control repository-level security features, and {% data variables.product.prodname_global_settings %}, which control security features at the organization level. We recommend applying {% data variables.product.prodname_security_configurations %} _and_ customizing your {% data variables.product.prodname_global_settings %} to create a system that best meets the security needs of your organization.
|
||||
|
||||
|
||||
@@ -60,7 +60,7 @@ Security overview has multiple views that provide different ways to explore enab
|
||||
{% ifversion security-overview-dashboard %}
|
||||
* **Overview:** visualize trends in **Detection**, **Remediation**, and **Prevention** of security alerts, see [AUTOTITLE](/code-security/security-overview/viewing-security-insights).{% endif %}
|
||||
* **Risk and Alert views:** explore the risk from security alerts of all types or focus on a single alert type and identify your risk from specific vulnerable dependencies, code weaknesses, or leaked secrets, see [AUTOTITLE](/code-security/security-overview/assessing-code-security-risk).
|
||||
* **Coverage:** assess the adoption of code security features across repositories in the organization, see [AUTOTITLE](/code-security/security-overview/assessing-adoption-code-security).{% ifversion security-overview-tool-adoption %}
|
||||
* **Coverage:** assess the adoption of security features across repositories in the organization, see [AUTOTITLE](/code-security/security-overview/assessing-adoption-code-security).{% ifversion security-overview-tool-adoption %}
|
||||
* **Enablement trends:** see how quickly different teams are adopting security features.{% endif %}{% ifversion security-overview-org-codeql-pr-alerts %}
|
||||
* **CodeQL pull request alerts:** assess the impact of running CodeQL on pull requests and how development teams are resolving code scanning alerts, see [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-pull-request-alerts).{% endif %}{% ifversion security-overview-push-protection-metrics-page %}
|
||||
* **Secret scanning:** find out which types of secret are blocked by push protection{% ifversion security-overview-delegated-bypass-requests %} and which teams are bypassing push protection{% endif %}, see [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection){% ifversion security-overview-delegated-bypass-requests %} and [AUTOTITLE](/code-security/security-overview/reviewing-requests-to-bypass-push-protection){% endif %}.{% endif %}
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
---
|
||||
title: Assessing adoption of code security features
|
||||
title: Assessing adoption of security features
|
||||
shortTitle: Assess adoption of features
|
||||
allowTitleToDifferFromFilename: true
|
||||
intro: 'You can use security overview to see which teams and repositories have already enabled code security features, and identify any that are not yet protected.'
|
||||
intro: 'You can use security overview to see which teams and repositories have already enabled features for secure coding, and identify any that are not yet protected.'
|
||||
permissions: '{% data reusables.permissions.security-overview %}'
|
||||
type: how_to
|
||||
topics:
|
||||
@@ -19,9 +19,9 @@ versions:
|
||||
|
||||
|
||||
|
||||
## About adoption of code security features
|
||||
## About adoption of features for secure coding
|
||||
|
||||
You can use security overview to see which repositories and teams have already enabled each code security feature, and where people need more encouragement to adopt these features. The "Security coverage" view shows a summary and detailed information on feature enablement for an organization. You can filter the view to show a subset of repositories using the "enabled" and "not enabled" links, the "Teams" dropdown menu, and a search field in the page header.
|
||||
You can use security overview to see which repositories and teams have already enabled each security feature, and where people need more encouragement to adopt these features. The "Security coverage" view shows a summary and detailed information on feature enablement for an organization. You can filter the view to show a subset of repositories using the "enabled" and "not enabled" links, the "Teams" dropdown menu, and a search field in the page header.
|
||||
|
||||
|
||||
|
||||
@@ -37,9 +37,9 @@ You can use the "Enablement trends" view to see enablement status and enablement
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Viewing the enablement of code security features for an organization
|
||||
## Viewing the enablement of security features for an organization
|
||||
|
||||
You can view data to assess the enablement of code security features across repositories in an organization.
|
||||
You can view data to assess the enablement of features for secure coding across repositories in an organization.
|
||||
|
||||
{% data reusables.organizations.navigate-to-org %}
|
||||
{% data reusables.organizations.security-overview %}
|
||||
@@ -49,7 +49,7 @@ You can view data to assess the enablement of code security features across repo
|
||||
|
||||
|
||||
{% ifversion pre-security-configurations %}
|
||||
1. Optionally, click **{% octicon "gear" aria-hidden="true" %} Security settings** to enable code security features for a repository and click **Save security settings** to confirm the changes. If a feature is not shown, it has more complex configuration requirements and you need to use the repository settings dialog. For more information, see [AUTOTITLE](/code-security/getting-started/securing-your-repository).
|
||||
1. Optionally, click **{% octicon "gear" aria-hidden="true" %} Security settings** to enable security features for a repository and click **Save security settings** to confirm the changes. If a feature is not shown, it has more complex configuration requirements and you need to use the repository settings dialog. For more information, see [AUTOTITLE](/code-security/getting-started/securing-your-repository).
|
||||
1. Optionally, select some or all of the repositories that match your current search and click **Security settings** in the table header to display a side panel where you can enable security features for the selected repositories. When you've finished, click **Apply changes** to confirm the changes. For more information, see [AUTOTITLE](/code-security/security-overview/enabling-security-features-for-multiple-repositories).
|
||||
|
||||
{% data reusables.security-overview.settings-limitations %}
|
||||
@@ -60,9 +60,9 @@ You can view data to assess the enablement of code security features across repo
|
||||
|
||||
In the list of repositories, a "Paused" label under "{% data variables.product.prodname_dependabot %}" indicates repositories for which {% data variables.product.prodname_dependabot_updates %} are paused. For information about inactivity criteria, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-automatic-deactivation-of-dependabot-updates) and [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#about-automatic-deactivation-of-dependabot-updates), for security and version updates, respectively.{% endif %}
|
||||
|
||||
## Viewing the enablement of code security features for an enterprise
|
||||
## Viewing the enablement of features for secure coding in an enterprise
|
||||
|
||||
You can view data to assess the enablement of code security features across organizations in an enterprise.
|
||||
You can view data to assess the enablement of security features across organizations in an enterprise.
|
||||
|
||||
{% ifversion pre-security-configurations %}
|
||||
In the enterprise-level view, you can view data about the enablement of features, but you cannot enable or disable features.
|
||||
@@ -87,7 +87,7 @@ In the enterprise-level view, you can view data about the enablement of features
|
||||
|
||||
{% endif %}
|
||||
|
||||
You can view data to assess the enablement status and enablement status trends of code security features for an organization.
|
||||
You can view data to assess the enablement status and enablement status trends of security features for an organization.
|
||||
|
||||
{% data reusables.organizations.navigate-to-org %}
|
||||
{% data reusables.organizations.security-overview %}
|
||||
@@ -111,7 +111,7 @@ You can view data to assess the enablement status and enablement status trends o
|
||||
|
||||
{% endif %}
|
||||
|
||||
You can view data to assess the enablement status and enablement status trends of code security features across organizations in an enterprise.
|
||||
You can view data to assess the enablement status and enablement status trends of security features across organizations in an enterprise.
|
||||
|
||||
{% ifversion ghes %}{% data reusables.enterprise-accounts.access-enterprise-ghes %}{% else %}{% data reusables.enterprise-accounts.access-enterprise-on-dotcom %}{% endif %}
|
||||
{% data reusables.code-scanning.click-code-security-enterprise %}
|
||||
@@ -127,8 +127,8 @@ You can view data to assess the enablement status and enablement status trends o
|
||||
|
||||
## Interpreting and acting on the enablement data
|
||||
|
||||
Some code security features can and should be enabled on all repositories. For example, {% data variables.secret-scanning.alerts %} and push protection reduce the risk of a security leak no matter what information is stored in the repository. If you see repositories that don't already use these features, you should either enable them or discuss an enablement plan with the team who owns the repository. For information on enabling features for a whole organization, see {% ifversion security-configurations %}[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization){% else %}[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization){% endif %}.
|
||||
Some security features can and should be enabled on all repositories. For example, {% data variables.secret-scanning.alerts %} and push protection reduce the risk of a security leak no matter what information is stored in the repository. If you see repositories that don't already use these features, you should either enable them or discuss an enablement plan with the team who owns the repository. For information on enabling features for a whole organization, see {% ifversion security-configurations %}[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization){% else %}[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization){% endif %}.
|
||||
|
||||
Other features are not available for use in all repositories. For example, there would be no point in enabling {% data variables.product.prodname_dependabot %}{% ifversion default-setup-pre-enablement %}{% else %} or {% data variables.product.prodname_code_scanning %}{% endif %} for repositories that only use ecosystems or languages that are unsupported. As such, it's normal to have some repositories where these features are not enabled.
|
||||
|
||||
Your enterprise may also have configured policies to limit the use of some code security features. For more information, see [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise).
|
||||
Your enterprise may also have configured policies to limit the use of some security features. For more information, see [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise).
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Assessing your code security risk
|
||||
shortTitle: Assess security risk to code
|
||||
title: Assessing the security risk of your code
|
||||
shortTitle: Assess security risk of code
|
||||
allowTitleToDifferFromFilename: true
|
||||
intro: 'You can use security overview to see which teams and repositories are affected by security alerts, and identify repositories for urgent remedial action.'
|
||||
permissions: '{% data reusables.permissions.security-overview %}'
|
||||
@@ -31,7 +31,7 @@ You can use the different views on your **Security** tab to explore the security
|
||||
|
||||
These views provide you with the data and filters to:
|
||||
|
||||
* Assess the landscape of your code security across all your repositories.
|
||||
* Assess the landscape of security risk of code stored in all your repositories.
|
||||
* Identify the highest impact vulnerabilities to address.
|
||||
* Monitor your progress in remediating potential vulnerabilities. {% ifversion security-overview-export-data %}
|
||||
* Export your current selection of data for further analysis and reporting. {% endif %}
|
||||
@@ -39,7 +39,7 @@ These views provide you with the data and filters to:
|
||||
{% ifversion security-overview-dashboard %}
|
||||
For information about the **Overview**, see [AUTOTITLE](/code-security/security-overview/viewing-security-insights).{% endif %}
|
||||
|
||||
## Viewing organization-level code security risks
|
||||
## Viewing organization-level security risks in code
|
||||
|
||||
{% data reusables.organizations.navigate-to-org %}
|
||||
{% data reusables.organizations.security-overview %}
|
||||
@@ -55,7 +55,7 @@ For information about the **Overview**, see [AUTOTITLE](/code-security/security-
|
||||
|
||||
{% data reusables.security-overview.alert-differences %}
|
||||
|
||||
## Viewing enterprise-level code security risks
|
||||
## Viewing enterprise-level security risks in code
|
||||
|
||||
You can view data for security alerts across organizations in an enterprise.
|
||||
|
||||
@@ -78,5 +78,5 @@ You can view data for security alerts across organizations in an enterprise.
|
||||
|
||||
## Next steps
|
||||
|
||||
When you have assessed your code security risks, you are ready to create a security campaign to collaborate with developers to remediate alerts. For information about fixing security alerts at scale, see [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-tracking-security-campaigns) and [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale).
|
||||
When you have assessed your security risks, you are ready to create a security campaign to collaborate with developers to remediate alerts. For information about fixing security alerts at scale, see [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/creating-tracking-security-campaigns) and [AUTOTITLE](/code-security/securing-your-organization/fixing-security-alerts-at-scale/best-practice-fix-alerts-at-scale).
|
||||
{% endif %}
|
||||
|
||||
@@ -43,7 +43,7 @@ If a new top-level doc set is created, it is added to the homepage.
|
||||
|
||||
If a category serves as the starting point for using a {% data variables.product.prodname_dotcom %} product or feature, it can be added to the homepage.
|
||||
|
||||
For example, under the "Security" grouping on the homepage, in addition to the [Code security](/code-security) top-level doc set, the [Supply chain security](/code-security/supply-chain-security), [Security advisories](/code-security/security-advisories), [{% data variables.product.prodname_dependabot %}](/code-security/dependabot), [{% data variables.product.prodname_code_scanning_caps %}](/code-security/code-scanning), and [{% data variables.product.prodname_secret_scanning_caps %}](/code-security/secret-scanning) categories are included because each of those categories are the entry point to {% data variables.product.prodname_dotcom %} products and features. [Security overview](/code-security/security-overview) is not included on the homepage because it provides additional information for using code security products and is not an introduction to a product or feature.
|
||||
For example, under the "Security" grouping on the homepage, in addition to the [Code security](/code-security) top-level doc set, the [Supply chain security](/code-security/supply-chain-security), [Security advisories](/code-security/security-advisories), [{% data variables.product.prodname_dependabot %}](/code-security/dependabot), [{% data variables.product.prodname_code_scanning_caps %}](/code-security/code-scanning), and [{% data variables.product.prodname_secret_scanning_caps %}](/code-security/secret-scanning) categories are included because each of those categories are the entry point to {% data variables.product.prodname_dotcom %} products and features. [Security overview](/code-security/security-overview) is not included on the homepage because it provides additional information for using secure coding features and is not an introduction to a product or feature.
|
||||
|
||||
## Top-level doc set
|
||||
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Security analysis
|
||||
intro: 'Discover ways that you can use {% data variables.product.prodname_copilot %} to improve code security.'
|
||||
intro: 'Discover ways that you can use {% data variables.product.prodname_copilot %} to improve the security of your code.'
|
||||
redirect_from:
|
||||
- /copilot/example-prompts-for-github-copilot-chat/security-analysis
|
||||
versions:
|
||||
|
||||
@@ -101,7 +101,7 @@ If you have an enterprise account, license use for the entire enterprise is show
|
||||
|
||||
## About {% data variables.product.prodname_GH_advanced_security %} Certification
|
||||
|
||||
You can highlight your code security knowledge by earning a {% data variables.product.prodname_GH_advanced_security %} certificate with {% data variables.product.prodname_certifications %}. The certification validates your expertise in vulnerability identification, workflow security, and robust security implementation. See [AUTOTITLE](/get-started/showcase-your-expertise-with-github-certifications/about-github-certifications).
|
||||
You can highlight your knowledge by earning a {% data variables.product.prodname_GH_advanced_security %} certificate with {% data variables.product.prodname_certifications %}. The certification validates your expertise in vulnerability identification, workflow security, and robust security implementation. See [AUTOTITLE](/get-started/showcase-your-expertise-with-github-certifications/about-github-certifications).
|
||||
|
||||
{% endif %}
|
||||
|
||||
|
||||
@@ -36,7 +36,7 @@ You can certify your proficiency in automating workflows and accelerating develo
|
||||
|
||||
### {% data variables.product.prodname_GH_advanced_security %} Certification
|
||||
|
||||
You can highlight your code security knowledge with the {% data variables.product.prodname_GH_advanced_security %} certificate. This exam covers:
|
||||
You can highlight your knowledge with the {% data variables.product.prodname_GH_advanced_security %} certificate. This exam covers:
|
||||
|
||||
* Vulnerability identification
|
||||
* Workflow security
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Managing security managers in your organization
|
||||
intro: You can give your security experts the least access they need to configure and monitor code security for your organization using the security manager role.
|
||||
intro: You can give your security experts the least access they need to configure and monitor the use of security features for codebases in your organization.
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -18,13 +18,13 @@ permissions: Organization owners can assign the security manager role.
|
||||
|
||||
## Permissions for the security manager role
|
||||
|
||||
Organization members {% ifversion org-sec-manager-update %} and members of teams {% elsif ghes < 3.16 %}in a team {% endif %}assigned the security manager role have only the permissions required to effectively manage code security for the organization.
|
||||
Organization members {% ifversion org-sec-manager-update %} and members of teams {% elsif ghes < 3.16 %}in a team {% endif %}assigned the security manager role have only the permissions required to effectively manage use of security features for the organization.
|
||||
|
||||
* Read access on all repositories in the organization, in addition to any existing repository access
|
||||
* Write access on all security alerts in the organization {% ifversion not fpt %}
|
||||
* Access to view and configure all repositories in the organization's security overview {% endif %}
|
||||
* The ability to configure code security settings at the organization level{% ifversion not fpt %}, including the ability to enable or disable {% data variables.product.prodname_GH_advanced_security %}{% endif %}
|
||||
* The ability to configure code security settings at the repository level{% ifversion not fpt %}, including the ability to enable or disable {% data variables.product.prodname_GH_advanced_security %}{% endif %}
|
||||
* The ability to configure settings for security features at the organization level{% ifversion not fpt %}, including the ability to enable or disable {% data variables.product.prodname_GH_advanced_security %}{% endif %}
|
||||
* The ability to configure settings for security features at the repository level{% ifversion not fpt %}, including the ability to enable or disable {% data variables.product.prodname_GH_advanced_security %}{% endif %}
|
||||
|
||||
{% ifversion fpt %}
|
||||
Additional functionality, including a security overview for the organization, is available in organizations that use {% data variables.product.prodname_ghe_cloud %}. For more information, see the [{% data variables.product.prodname_ghe_cloud %} documentation](/enterprise-cloud@latest/organizations/managing-peoples-access-to-your-organization-with-roles/managing-security-managers-in-your-organization).
|
||||
|
||||
@@ -16,6 +16,6 @@ autogenerated: rest
|
||||
|
||||
## About secrets in {% data variables.product.prodname_actions %}
|
||||
|
||||
You can use the REST API to create, update, delete, and retrieve information about secrets that can be used in workflows in {% data variables.product.prodname_actions %}. {% data reusables.actions.about-secrets %} For more information, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions).
|
||||
You can use the REST API to create, update, delete, and retrieve information about secrets that can be used in workflows in {% data variables.product.prodname_actions %}. {% data reusables.actions.about-secrets %} For more information, see [AUTOTITLE](/actions/security-for-github-actions/security-guides/about-secrets).
|
||||
|
||||
<!-- Content after this section is automatically generated -->
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Code security settings
|
||||
title: Security settings
|
||||
intro: Use the REST API to create and manage security configurations for your organization.
|
||||
topics:
|
||||
- API
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
---
|
||||
title: REST API endpoints for enterprise code security and analysis
|
||||
shortTitle: Code security and analysis
|
||||
title: REST API endpoints for enterprise security features for code
|
||||
shortTitle: Security features for code
|
||||
allowTitleToDifferFromFilename: true
|
||||
intro: Use the REST API to manage code security and analysis features for your enterprise.
|
||||
intro: Use the REST API to manage use of security features for your enterprise.
|
||||
versions: # DO NOT MANUALLY EDIT. CHANGES WILL BE OVERWRITTEN BY A 🤖
|
||||
ghec: '*'
|
||||
ghes: '*'
|
||||
|
||||
@@ -49,7 +49,7 @@ Ticket priority helps to ensure that support requests are handled in order, and
|
||||
|
||||
## Ticket priorities for {% data variables.product.prodname_advanced_security %}
|
||||
|
||||
All tickets regarding code security features follow this logic for ticket prioritization.
|
||||
All tickets regarding security features follow this logic for ticket prioritization.
|
||||
|
||||
| Priority | Description |
|
||||
| :---: | --- |
|
||||
|
||||
@@ -82,7 +82,7 @@ sections:
|
||||
- |
|
||||
...
|
||||
|
||||
- heading: Code security
|
||||
- heading: Secure coding features
|
||||
notes:
|
||||
# LINK TO RELEASE ISSUE
|
||||
- |
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
* Names can only contain alphanumeric characters (`[a-z]`, `[A-Z]`, `[0-9]`) or underscores (`_`). Spaces are not allowed.
|
||||
* Names must not start with the `GITHUB_` prefix.
|
||||
* Names must not start with a number.
|
||||
* Names are case insensitive.
|
||||
* Names must be unique at the level they are created at.
|
||||
* Can only contain alphanumeric characters (`[a-z]`, `[A-Z]`, `[0-9]`) or underscores (`_`). Spaces are not allowed.
|
||||
* Must not start with the `GITHUB_` prefix.
|
||||
* Must not start with a number.
|
||||
* Are case insensitive.
|
||||
* Must be unique to the repository, organization, or enterprise where they are created.
|
||||
|
||||
@@ -1 +1 @@
|
||||
For secrets stored at the organization-level, you can use access policies to control which repositories can use organization secrets. Organization-level secrets let you share secrets between multiple repositories, which reduces the need for creating duplicate secrets. Updating an organization secret in one location also ensures that the change takes effect in all repository workflows that use that secret.
|
||||
Organization-level secrets let you share secrets between multiple repositories, which reduces the need for creating duplicate secrets. Updating an organization secret in one location also ensures that the change takes effect in all repository workflows that use that secret.
|
||||
|
||||
@@ -1,2 +1,2 @@
|
||||
> [!WARNING]
|
||||
> If a secret was used in the job, {% data variables.product.prodname_dotcom %} automatically redacts secrets printed to the log. You should avoid printing secrets to the log intentionally.
|
||||
> If a secret is used in a workflow job, {% data variables.product.prodname_dotcom %} automatically redacts secrets printed to the log. You should avoid printing secrets to the log intentionally.
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
{% ifversion org-sec-manager-update %}
|
||||
|
||||
The security manager role is an organization-level role that organization owners can assign to any member or team in the organization. When applied, it gives permission to view security alerts and manage settings for code security across your organization, as well as read permission for all repositories in the organization.
|
||||
The security manager role is an organization-level role that organization owners can assign to any member or team in the organization. When applied, it gives permission to view security alerts and manage settings for security features across your organization, as well as read permission for all repositories in the organization.
|
||||
|
||||
{% elsif ghes < 3.16 %}
|
||||
|
||||
Security manager is an organization-level role that organization owners can assign to any team in an organization. When applied, it gives every member of the team permission to view security alerts and manage settings for code security across your organization, as well as read permission for all repositories in the organization.
|
||||
Security manager is an organization-level role that organization owners can assign to any team in an organization. When applied, it gives every member of the team permission to view security alerts and manage settings for security features across your organization, as well as read permission for all repositories in the organization.
|
||||
|
||||
{% endif %}
|
||||
|
||||
@@ -13,8 +13,9 @@ import contextualize from '#src/frame/middleware/context/context.js'
|
||||
// for now, we're just querying pageinfo, we'll likely replace /api/pageinfo
|
||||
// with /api/meta and move or reference that code here
|
||||
async function getArticleMetadata(req: ExtendedRequestWithPageInfo) {
|
||||
const host = req.get('x-host') || req.get('x-forwarded-host') || req.get('host')
|
||||
const queryString = new URLSearchParams(req.query as Record<string, string>).toString()
|
||||
const apiUrl = `${req.protocol}://${req.get('host')}/api/pageinfo${queryString ? `?${queryString}` : ''}`
|
||||
const apiUrl = `${req.protocol}://${host}/api/pageinfo${queryString ? `?${queryString}` : ''}`
|
||||
|
||||
// Fetch the data from the pageinfo API
|
||||
const response = await fetch(apiUrl)
|
||||
|
||||
@@ -6,7 +6,7 @@
|
||||
"ghes": "*"
|
||||
},
|
||||
"topics": [
|
||||
"Advanced Security",
|
||||
"Code Security",
|
||||
"Code scanning",
|
||||
"CodeQL"
|
||||
],
|
||||
|
||||
@@ -84,6 +84,7 @@ export function SearchOverlay({
|
||||
const [aiSearchError, setAISearchError] = useState<boolean>(false)
|
||||
const [aiReferences, setAIReferences] = useState<AIReference[]>([] as AIReference[])
|
||||
const [aiCouldNotAnswer, setAICouldNotAnswer] = useState<boolean>(false)
|
||||
const [showSpinner, setShowSpinner] = useState(false)
|
||||
|
||||
// Group all events between open / close of the overlay together
|
||||
const searchEventGroupId = useRef<string>('')
|
||||
@@ -110,6 +111,26 @@ export function SearchOverlay({
|
||||
const { aiAutocompleteOptions, generalSearchResults, totalGeneralSearchResults } =
|
||||
autoCompleteOptions
|
||||
|
||||
// Whenever "searchLoading" changes, decide whether to show the spinner after 1s.
|
||||
useEffect(() => {
|
||||
let timer: ReturnType<typeof setTimeout>
|
||||
|
||||
// If it's the initial fetch, show the spinner immediately
|
||||
if (!aiAutocompleteOptions.length && !generalSearchResults.length) {
|
||||
return setShowSpinner(true)
|
||||
}
|
||||
|
||||
if (searchLoading) {
|
||||
timer = setTimeout(() => setShowSpinner(true), 1000)
|
||||
} else {
|
||||
setShowSpinner(false)
|
||||
}
|
||||
|
||||
return () => {
|
||||
clearTimeout(timer)
|
||||
}
|
||||
}, [searchLoading, aiAutocompleteOptions.length, generalSearchResults.length])
|
||||
|
||||
// Filter out any options that match the local query and replace them with a custom user query option that include isUserQuery: true
|
||||
const filteredAIOptions = aiAutocompleteOptions.filter(
|
||||
(option) => option.term !== urlSearchInputQuery,
|
||||
@@ -225,10 +246,10 @@ export function SearchOverlay({
|
||||
|
||||
// When loading, capture the last height of the suggestions list so we can use it for the loading div
|
||||
const previousSuggestionsListHeight = useMemo(() => {
|
||||
if (suggestionsListHeightRef.current?.clientHeight) {
|
||||
return suggestionsListHeightRef.current.clientHeight
|
||||
if (generalSearchResults.length || aiAutocompleteOptions.length) {
|
||||
return 7 * (generalSearchResults.length + aiAutocompleteOptions.length) + ''
|
||||
} else {
|
||||
return '250' // Default height that looks very close to 5 suggestions (in px)
|
||||
return '150' // Default height for just 2 suggestions
|
||||
}
|
||||
}, [searchLoading])
|
||||
|
||||
@@ -461,6 +482,9 @@ export function SearchOverlay({
|
||||
showDividers
|
||||
className={styles.suggestionsList}
|
||||
ref={suggestionsListHeightRef}
|
||||
sx={{
|
||||
minHeight: `${previousSuggestionsListHeight}px`,
|
||||
}}
|
||||
>
|
||||
{/* Always show the AI Search UI error message when it is needed */}
|
||||
{aiSearchError && (
|
||||
@@ -520,7 +544,7 @@ export function SearchOverlay({
|
||||
selectedIndex,
|
||||
listElementsRef,
|
||||
askAIState,
|
||||
searchLoading,
|
||||
showSpinner,
|
||||
previousSuggestionsListHeight,
|
||||
)}
|
||||
</ActionList>
|
||||
@@ -533,6 +557,9 @@ export function SearchOverlay({
|
||||
showDividers
|
||||
className={styles.suggestionsList}
|
||||
ref={suggestionsListHeightRef}
|
||||
sx={{
|
||||
minHeight: `${previousSuggestionsListHeight}px`,
|
||||
}}
|
||||
>
|
||||
{renderSearchGroups(
|
||||
t,
|
||||
@@ -544,7 +571,7 @@ export function SearchOverlay({
|
||||
selectedIndex,
|
||||
listElementsRef,
|
||||
askAIState,
|
||||
searchLoading,
|
||||
showSpinner,
|
||||
previousSuggestionsListHeight,
|
||||
)}
|
||||
</ActionList>
|
||||
@@ -687,7 +714,7 @@ function renderSearchGroups(
|
||||
aiCouldNotAnswer: boolean
|
||||
setAICouldNotAnswer: (value: boolean) => void
|
||||
},
|
||||
searchLoading: boolean,
|
||||
showSpinner: boolean,
|
||||
previousSuggestionsListHeight: number | string,
|
||||
) {
|
||||
const groups = []
|
||||
@@ -733,7 +760,7 @@ function renderSearchGroups(
|
||||
groups.push(<ActionList.Divider key="no-answer-divider" />)
|
||||
}
|
||||
|
||||
if (searchLoading) {
|
||||
if (showSpinner) {
|
||||
groups.push(
|
||||
<Box
|
||||
key="loading"
|
||||
|
||||
Reference in New Issue
Block a user